NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Bob245's avatar
Bob245
Guide
Apr 30, 2019

How safe can be a iSCSI LUN with CHAP security

Hi everyone,
I have a RNDP4000 NAS unit with 4 WD 3 TB disks each and firmware 4.2.31 version. Before I upgrade to the OS6.x version (because I would like to have the encryption feature) I wanted to ask you how safe I can think of a protected iSCSI LUN with CHAP protection (with a strong 16-character password) in case someone steals my Netgear NAS. Thanks. Bob

3 Replies

Replies have been turned off for this discussion
  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Apr 30, 2019

    Although I don't use the iSCSI LUN feature myself, I believe that that CHAP authentication might not be enough to protect against theft.  It does authenticate the initiator (and optionally the target).  But since the thief has direct access to the LUN container, he might still be able to extract your data without using an initiator.

     

    Since the LUN is block storage and is formatted by the client, you should be able to encrypt the LUN itself.  That would block direct data extraction (and any initiator would also need to know the encryption key).  You could combine that with CHAP.

     

    Bob245 wrote:

     Before I upgrade to the OS6.x version (because I would like to have the encryption feature)

    IMO this feature has limited value, because you need to keep a thumb drive with the encryption key near or in the NAS.  The thief likely will steal the key also, and could figure out what it is for.  At least you should assume that he will.

     

    Operationally, you need to insert that key whenever you boot the NAS.  That includes cases where the NAS is rebooted when you install the firmware and when power is restored after a power loss.

    • Sandshark's avatar
      Sandshark
      Sensei - Experienced User
      May 01, 2019

      I put critical personal files in a VeraCrypt container on the NAS.  I run Veracrypt on the PC, not the NAS.  Also, unless you are content with incredibly sluggish writes, put VeraCrypt containers in a volume with strict sync disabled.

       

      A BitLocker encrypted VHD or VHDX virtual drive can also be used if you have Windows Pro.  Strict sync doesn't bother it.

      • StephenB's avatar
        StephenB
        Guru - Experienced User
        May 01, 2019
        Sandshark wrote:

        A BitLocker encrypted VHD or VHDX virtual drive can also be used if you have Windows Pro. 

        I believe that Microsoft is using iSCSI for those virtual drives.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More